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An authentication in a GSM based mobile comunications system 
relies on a challenge and response principle. A 32-bit Signed Response 
(SRES) parameter is calculated by A3 algorithm from a 128-bit Random 
Number (RAND) and a 128-bit Authentication Key Kj in a mobile 
station and in an authentication center, and the SRES values are 
compared. A CAVE algorithm having a 152-bit input parameter and 
an 18-bit output parameter is employed as the A3 algorithm. Paramater 
adaptation functions are provided between the input parameter of the 
CAVE algorithm and the GSM type input parameters, namely the 
random number RAND and the authentication key Kj, as well as between 
the output parameter of the CAVE algorithm and the GSM output 
parameter, namely the signed response SRES. 



RANDOM 
NUMBER 
GENERATOR 



TRIPLET BUILDING 



GSM SPECIFIC TRIPLET 



SIGNALLING INTERFACE 
j 

HLRA/LR 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international 
applications under the PCT. 



AM 


Armenia 


GB 


United Kingdom 


MW 


Malawi 


AT 


Austria 


GE 


Georgia 


MX 


Mexico 


AU 


Australia 


GN 


Guinea 


NE 


Niger 


BB 


Barbados 


GR 


Greece 


NL 


Netherlands 


BE 


Belgium 


HU 


Hungary 


NO 


Norway 


BF 


Burkina Faso 


IE 


Ireland 


NZ 


New Zealand 


BG 


Bulgaria 


IT 


Italy 


PL 


Poland 


BJ 


Benin 


JP 


Japan 


PT 


Portugal 


BR 


Brazil 


KE 


Kenya 


RO 


Romania 


BY 


Belarus 


KG 


Kyrgystan 


RU 


Russian Federation 


CA 


Canada 


KP 


Democratic People's Republic 


SD 


Sudan 


CF 


Central African Republic 




of Korea 


SE 


Sweden 


CG 


Congo 


KR 


Republic of Korea 


SG 


Singapore 


CH 


Switzerland 


KZ 


Kazakhstan 


SI 


Slovenia 


CI 


Cote d'lvoire 


LI 


Liechtenstein 


SK 


Slovakia 


CM 


Cameroon 


LK 


Sri Lanka 


SN 


Senega] 


CN 


China 


LR 


Liberia 


sz 


Swaziland 


CS 


Czechoslovakia 


LT 


Lithuania 


TD 


Chad 


CZ 


Czech Republic 


LU 


Luxembourg 


TG 


Togo 


DE 


Germany 


LV 


Latvia 


TJ 


Tajikistan 


DK 


Denmark 


MC 


Monaco 


TT 


Trinidad and Tobago 


EE 


Estonia 


MD 


Republic of Moldova 


UA 


Ukraine 


ES 


Spain 


MG 


Madagascar 


UG 


Uganda 


FI 


Finland 


ML 


Mali 


US 


United States of America 


FR 




MN 


Mongolia 


UZ 


Uzbekistan 


GA 


Gabon 


MR 


Mauritania 


VN 


Viet Nam 



WO 97/15161 



PCT/FI96/00543 



1 

Subscriber authentication in a mobile communications 
system 

Field of the invention 

5 The present invention relates to security- 

functions in mobile communications networks, and 
particularly to a subscriber authentication in mobile 
communications networks. 

10 Background of the invention 

In all telecommunication networks both the users 
and the network operator have to be protected against 
undesirable intrusion of third parties as far as 
possible. Thus several kinds of security functions are 

15 needed in the networks. The major aspects of the network 
security are 1) the protection of the information that 
the network conveys; and 2) authentication and access 
control of the users of the network. The major security 
mechanism for the protection of information is, and is 

20 likely to remain, some form of encryption. Authenti- 
cation is a means of trying to ensure that information 
comes from the source it is claimed to come from. It is 
typically based on passwords and keys. Access rights are 
assigned in terms of the ability to send and/or receive 

25 via the transmission medium. Also access mechanisms 
typically depend on some form of password or key. 

Due to the use of radio communications for 
transmissions to the mobile subscribers, radio accessed 
networks, such as Public Land Mobile Networks (PLMN) , 

30 are particularly sensitive to misuse of their resources 
by unauthorized users and eavesdropping on the 
information which is exchanged on the radio path. This 
comes from the possibility to listen to and transmit 
radio signals from anywhere, without tampering with 

35 user's or operator's equipment. It can be seen that 
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PLMNs have a need for a higher level of security than 
traditional telecommunication networks. 

The pan-European digital cellular radion which is 
known as GSM (Global System for Mobile Communications) 
5 contains a highly secure authentication system. It is 
based on socalled challenge and response principle. At 
subscription time a secret number called a Subscbiber 
Authentication Key (K A ) is allocated to the subscriber 
together with an International Mobile Subscriber 

10 Identity (IMSI) . K L is stored in a special purpose 
element of the GSM network, called an Authentication 
Center (AUC) which is associated with or linked to a 
Home Location Register (HLR) of the subscriber. AUC 
contains also a ciphering algorithm, called A8 , and an 

15 authentication algorithm, called A3, as well as a 
generation of random numbers RAND. A parameter called a 
ciphering key K c is generated from K t and RAND by the 
algorithm A8 . Similarly, a parameter called a Signed 
Response SRES is generated from K L and RAND by the 

2 0 algorithm A3. The three parameters RAND, K c and SRES make 
up a "triplet" specific of a subsriber to be used for 
further authentication and ciphering. In order to avoid 
calculation and transfer of triplet every time it is 
needed, several triplets are calculated in advance for 

25 each subscriber by AUC /HLR and on request delivered to a 
Visitor Location Register VLR and a Mobile Services 
Switching Center (MSC) there they are stored. MSC/VLR 
will always have at least one triplet unused for each of 
its visitor subscribers. Tight security requires that a 

30 triplet is used only once, for one communication, and is 
then destroyed. When a subscriber has used all it's 
available triplets, the AUC /HLR is then requested to 
calculate and send back a new series. 

A GSM mobile station is split into two parts, one 

35 which contains the hardware and software specific to the 
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radio interface, the mobile equipment, and and another 
which contains the subscriber specific data: the 
Subscriber Identity Module or SIM. Each subscriber has 
the SIM, typically in a form of a smart card, which 
5 takes responsibility for most of the security functions 
at the mobile station side. It stores K it the 
authentication algorithm A3 and the ciphering algorithm 
A8, as well as the ciphering key K c received from the 
network side. 

10 During authentication, the VLR/MSC sends the 

random number RAND (and also K c ) of the triplet to the 
mobile station. The mobile station, more particularly 
the SIM, processes RAND using the authentication 
algorithm A3 and the authentication key K ir and returns 

15 the resulting Signed Response SRES to the VLR/MSC. This 
SRES is checked against the SRES of the triplet given by 
the HLR to. If the two SRESes are equal to each other, 
the access is allowed, and otherwise denied. 

All the security mechanism in the GSM rely on 

20 secrecy of authentication key K^ K L is never transmitted 
and never leaves the AUC/HLR. Also the SIM protects 
completely K t against reading. Because the mathematical 
algorithm A3 works only one way (one-way trap door 
function) it is impossible to derive the key from the 

25 RAND-SRES pairs transmitted. Further the authentication 
algorithm A3 itself is a secret algorithm, it can not be 
found even in the GSM specifications. The specifications 
only require that computation of Ki knowing RAND and SRES 
should be as complex as possible. This level of 

3 0 complexity determines which security level has been 
achieved. Beyond this requirement, the only constraint 
imposed on A3 is the size of the input parameter (RAND 
is 128 bits long) and the size of the output parameter 
(SRES must be 32 bits long) . K A can be of any format and 

35 lenght when stored in Auc/HLR, only if Ki would be 
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transported in the network it would be constrained to a 
maximum lenght of 128 bits. In fact, the design choices 
of GSM, both in the mobile station and in the 
infrastructure, make it possible for the operators to 
5 choose the A3 applicable to their own subcsribers 
independently from other operators. 

In the U.S. A a digital cellular system called 
Personal Communications System (PCS) is under 
development. The US PCS is based on the GSM system in a 

10 great extent, especially as regards network architecture 
and protocols, including the security functions. 
However, some minor modifications are being made in 
various parts of the system. One potential modification 
might be that authentication algorithm A3 used in the 

15 GSM system would be replaced by CAVE algorithm in the US 
PCS since the CAVE algorithm has been developed in the 
USA and is already used in analog AMPS networks 
(Advanced Mobile Phone Service) . The CAVE algorithm 
which might be suitable to be used for authentication in 

20 the PCS system would have an 152 -bit input parameter 
consisting of a number of concanated information fields, 
and a 18 -bit output parameter, whereas the A3 algorithm 
in the GSM has the 128 -bit K A and RAND parameters as 
input parameters and 3 2 -bit SRES parameter as an output 

25 parameter. Therefore, replacement of A3 with the CAVE 
algorithm in a GSM based mobile communications system is 
not possible without further modifications. However, 
modifications may easily affect in various protocols, 
functions, messages and data structures throughout the 

3 0 system and thereby make the CAVE algorithm technically 
and economically inattractive . A further disadvantage is 
that the compability with the GSM system will be lost, 
and consequently, for example, SIM roaming between the 
GSM and US PCS systems will not be possible. 



35 
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Summary of the Invention 

An object of the invention is to enable the use 
of the CAVE algorithm as the A3 algorithm in the GSM 
system or in a GSM based mobile communications network 
5 without incurring modifications in GSM authentication 
parameters . 

A further object of the invention is to enable 
the use of the CAVE algorithm as the A3 algorithm in the 
GSM system or in a GSM based mobile communications 
10 network without modifications in the GSM triplet data 
structure . 

A still further object of the invention is to 
enable the use of the CAVE algorithm as the A3 algorithm 
in the GSM system or in a GSM based mobile 
15 communications network but otherwise retain the security 
functions of the standard GSM system. 

One aspect of the invention is an authentication 
method for a mobile communications network, comprising 
steps of 

20 utilizing an authentication procedure intended to 

be used with a first authentication response calculation 
method, 

utilizing a second authentication response 
calculation method instead of said first authentication 
25 response calculation method, 

providing an authentication key compatible with 
said first authentication response calculation method 
but incompatible with said second authentication 
response calculation method, for each subscriber of said 
3 0 mobile communications network, 

generating a random number compatible with said 
first authentication response calculation method but 
incompatible with said second authentication response 
calculation method, 
35 deriving an input parameter compatible with said 
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second authentication response calculation method from 
said authetication key and said random number, 

calculating by said second autentication response 
calculation method an authentication response 
5 incompatible 

with a authentication response format of said 
authentication prosedure utilized in said mobile 
communications network, 

modifying said authentication response into a 

10 format compatible with said authentication response 
format of said authentication procedure, 

transferring and storing said authentication 
response in said mobile communications network in said 
format compatible with said authentication procedure. 

15 According to the invention parameter adaptation 

functions are provided between the input parameter of 
the CAVE algorithm and the GSM type input parameters, 
namely the random number RAND and the authentication 
key K if as well as between the output parameter of the 

2 0 CAVE algorithm and the GSM output parameter, namely the 
signed response SRES . As a result no modifications are 
needed in the CAVE algorithm itself, nor it is necessary 
to depart from the GSM type security functions elsewhere 
than in the calculation of SRES in the authentication 

25 center AUC/HLR and in the mobile station MS. 



Brief Description of the Drawings 

The preferred embodiments of the invention will 
be described with reference to attached drawing, wherein 

Fig. 1 is a block diagram illustrating a GSM 
based cellular mobile radio system, 

Fig. 2 is a functional block diagram of the prior 
art authentication and ciphering parameter processing 
unit in the authentication center AUC, 
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Fig. 3 is a functional block diagram of the prior 
art authentication and ciphering parameter processing 
unit in the mobile station MS, 

Fig. 4 is a functional block diagram of the the 
5 authentication and ciphering parameter processing unit 
in the MSC/VLR, 

Fig. 5 illustrates the signalling related to the 
generation, transfer and use of the authentication and 
ciphering parameters, 
10 Fig. 6 is a functional block diagram of the 

authentication and ciphering parameter processing unit 
according to the invention in the authentication center 
AUC, 

Fig. 7 is a functional block diagram of the 
15 authentication and ciphering parameter processing unit 
according to the invention in the mobile station MS. 

Preferred Embodiments of the Invention 

The present invention can be applied in the 

2 0 Paneuropean digital mobile radio system GSM or in any 

GSM based mobile radio system, such as DCS1800 digital 
communication system and the U.S. digital cellular 
system called Personal Communication System (PCS) . 
Although the preferred embodiment of the invention will 
25 be described as an application in a standard GSM system 
in the following, the primary field of the application 
will apparently be the PCS system in the U.S.A. The 
structure and operation of the GSM system are well known 
to one skilled in the art and defined in the GSM 

3 0 specifications issued the European Telecommunications 

Standards Institute ETSI . A reference is also made to 
the GSM system for a mobile communications, M.Mouly & 
M.Pautet, Palaiseau, France, 1992; ISBN2-9507190-0-7 . 

The basic structure of GSM system is shown in 
3 5 Figure 1. 
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The GSM structure consists of two parts: the base 
station subsystem (BSS) , and the network subsystem 
(NSS) . The BSS and the mobile stations MS communicate 
via radio connections. In the BSS, each cell is served 
5 by a base transceiver station (BTS) . A group of BTS is 
connected to a base station controller (BSC) whose 
function is to manage the radio frequencies and channels 
used by the BTS. The BSCs are connected to a mobile 
switching centre (MS) . The MSC is for switching calls 

10 involving at least one mobile station MS. Certain MSCs 
are connected to other telecommunication networks such 
as the public switched telephone network (PSTN) , and 
contain gateway functions for handling calls to and from 
these networks . These MSCs are known as gateway MSCs 

15 (GMSCs) . 

There are two main types of database concerned 
with the routing of calls. There is a home location 
register (HLR) that stores subscriber data on all the 
subscribers of the network on a permanent or 

20 semipermanent basis, including information on the 
services to which the subscriber may have access, and 
the current location of the subscriber. The second type 
of register is the visitor location register (VLR) . The 
VLR is attached generally to one MSC, but it may, 

25 however, serve several MSCs. It is common practice that 
VLR is integrated into the MSC. This integrated network 
element is known as visitor MSC (VMSC) . Whenever a 
mobile station MS is active (logged on and able to make 
or receive a call) most of the mobile subscriber data 

30 about a mobile station MS that is held in the HLR is 
downloaded (copied) into the VLR of the MSC in whose 
area the mobile MS is . 

As noted above, in the mobile radio service, 
great care must by taken to prevent unauthorized call 
35 attempts and intrusion or listening-in by third parties. 
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Protection mechanisms in GSM system authenticate the 
calling or called mobile station, and use ciphering key- 
to encode speech and data on the traffic channel . 

The prior art mechanism according to the GSM 
5 specifications for providing authentication and 
ciphering keys will now be described with reference to 
Figures 2 , 3 , 4 and 5 . 

At subscription time a secret number called a 
subscriber authentication key (KJ is allocated to the 
10 mobile subscriber together with an international mobile 
subscriber identity (IMSI) . As shown in Figure 2, the 
authentication centre AUC comprises a database 2 0 which 
stores the authentication key Ki for each mobile 
subscriber in the GSM network. of the mobile 

15 subscriber can be retrieved from the database 20 using 
the IMSI of the mobile subscriber as an index. The AUC 
is further provided with an ciphering algorithm A8 , an 
authentication algorithm A3, and a random number 
generator 21. The random number generator 21 provides 

2 0 random numbers RAND having length of 12 8 bits. The key K± 
retrieved from database 2 0 and the random number RAND 
from the random number generator 21 are used as input 
parameters in the authentication algorithm A3 to 
calculate the signed response SRES, and as input 

25 parameters in ciphering algorithm A8 to calculate the 
ciphering key K c for traffic channel encoding. The three 
parameters RAND, SRES and K c make up a triplet for a 
mobile subscriber. 

The triplets will be transferred further to the 

30 visited MSC/VLR to be used for authentication and 
ciphering as will be explained in more detail below. 

A triplet is used only once, for one 
communication, and is then destroyed. In order to avoid 
calculation and transfer of triplet every time it is 

35 needed, several triplets are calculated in advance for 
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each mobile subscriber by AUC/HLR and on request 
delivered to the visited MSC/VLR where they are stored. 

The visited MSC/VLR stores a reserve of a few of 
such triplets per subscriber to be retrieved at need. 
5 Referring to Fig. 4, there is shown an example of a 
security parameter file 40 maintained in the visited 
MSC/VLR. The file 40 contains n triplets l...n for each 
IMSI (subscriber) . 

This reserve in the security parameter file 40 is 

10 first established when the mobile subscriber first 
registers in the visited MSC/VLR: it is part of the 
subscriber data downloaded from the HLR in the INSERT 
SUBSCRIBER DATA message. When a subscriber has used all 
it's available triplets, the AUC/HLR is then requested 

15 to calculate and send back a new series. Referring to 
Fig. 5, this triplet replenishing produce consist of two 
messages: SEND PARAMETERS message and it's answer, SEND 
PARAMETERS RESULT message. The former message contains 
the IMSI of the mobile subscriber which is used to 

20 retrieve the K t for calculation of the triplets as 
described above with reference to Fig. 2. The calculated 
triplets will be delivered to the MSC/VLR in the SEND 
PARAMETERS RESULT message and stored in the VLR. 

Referring further to Fig. 4, the mobile station 

25 MS sends an access request to the MSC/VLR. The MSC/VLR 
retrieves one of the triplets reserved for the 
subscriber of the mobile station MS in the security 
parameter file using the IMSI as an index. The MSC/VLR 
conveys on one hand the value of K c to the channel 

3 0 equipment in the BSC to be used in the traffic channel 
ciphering, and on the other hand the value of RAND to 
the MS in the AUTHENTICATION REQUEST message, as shown 
by block 41 in Fig. 4. On basis of the RAND the mobile 
station MS calculates the other values of the triplet 

35 (SRES and K c ) . 
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Referring to Fig. 3, the MS stores a copy of the 
ciphering key K A of the mobile subscriber, as well as the 
ciphering algorithm A8 and the authentication algorithm 
A3 . On receiving the AUTHENTICATION REQUEST message for 
the MSC/VLR, the MS extracts the RAND from the message, 
and then inputs the RAND and the stored K i to the 
algorithms A3 and A8 . For calculating the signed 
response SRES and the ciphering key K c , respectively. The 
calculated SRES will be conveyed to the MSC/VLR in the 
AUTHENTICATION RESULT message for completing the 
authentication as shown in Figs. 4 and 5. 

Referring to Fig. 4, the MSC/VLR extracts the 
value of SRES from AUTHENTICATION RESULT message (block 
42) and retrieves the stored value of SRES from the file 
15 40 (block 43) . Then, for this communication, prior to 
any other processing, the MSC/VLR "authenticates" the 
mobile subscriber by checking that the SRES calculated 
in the AUC/HLR is identical to the SRES calculated in 
the MS (block 44) . If the two values are identical, the 
access is granted (block 45) . If the two values are not 
identical, the access is denied (block 46) . 

The ciphering procedure is not relevant to the 
present invention and will not be described in more 
detail herein. 

25 as noted in the background art of the invention, 

it might be a need to use the CAVE algorithm as the 
authentication algorithm A3 in the USA a digital 
cellular system called Personal Communications System 
(PCS) , or other cellular systems based on the GSM system 

3 0 in a great extent, especially as regards network 
architecture and protocols, including the security 
functions. The CAVE algorithm has been developed in the 
USA and the availabilily of the CAVE algorithm 
information is governed under ITAR (U.S. International 

35 Traffic and Arms Regulation) . However, the CAVE is 



20 
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already used in analog AMPS networks (Advanced Mobile 
Phone Service) and its input /output parameters are 
specified in EIA/TIA srandard IS-54. The CAVE algorithm 
has an 152 -bit input parameter consisting of a number of 
5 concanated information fields, and a 18 -bit output 
parameter. Problems are, however, encountered in the 
practical implementation due to the fact that the A3 
algorithm in the GSM system has the 128 -bit K L and RAND 
as input parameters and 32 -bit SRES as an output 
10 parameter. 

These problems will be overcome when, according 
to the present invention, an adaptation of the 
parameters is made at the input and output of the CAVE 
algorithm. As a result, no modifications are needed in 
15 the CAVE algorithm itself, nor it is necessary to depart 
from the GSM specifications elsewhere than in the 
calculation of SRES in the AUC/HLR and the MS. 

The preferred embodiments of the parameter 
adaptation according to the invention will now be 
20 described with reference to Figs. 6 and 7. 

Referring now to Fig. 6, the authentication 
centre AUC according to the invention comprises a 
database 6 0 and a random number generator 61 which are 
similar to the database 20 and generator 21 shown in 
25 Fig. 2. The database 60 stores the 128-bit 
authentication keys K t according to the GSM 
specifications for all mobile subscribers of the GSM 
network, indexed by the IMSIs. The IMSI by which the iq 
is selected for furher calculation is receide from a 
30 signalling interface 67 which receives it from HLR or 
VLR, eg. in the SEND PARAMETERS message. The random 
number generator 61 provides the 128 -bit random numbers 
RAND in accordance with the GSM specifications. 

The Ki and RAND are inputs to the ciphering 
35 algorithm A8 which calculates the 64-bit ciphering key K c 
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in accordance with the GSM specifications. In other 
words, the calculation of K c is identical to that 
described with reference to Fig. 2. 

The 128 -bit RAND is also an input to a truncation 
5 unit 62 which truncates the RAND into 24 -bit truncated 
RAND (TRAND) . The TRAND may contain, for example, 24 
most significant bits of RAND. It is appreciated, 
however, that the truncation operation as used herein is 
intended to cover any method to derive 24 -bit random 

10 number TRAND from the 12 8 -bit random number RAND. It 
should be noted that although the lenght of K i is 128 
bits in the preferred embodiment, it may have any length 
of N bits, where N is integer less than or equal to 128. 
Consequently, lenght M of TRAND depends on N, being 

15 M=152-N bits. 

The 24 -bit TRAND is then inputted to a combining 
unit 63, the other input of unit 63 being the 128-bit 
authentication key K ± . The output of the combining unit 
63 is a 152 -bit combination COMP of K L and TRAND. The 128 

20 most significant bits of the COMP may contain the Ki and 
the 24 least significant bits may contain the TRAND. It 
is appreciated, however, that the combination operation 
as used herein is intended to cover any method, e.g. a 
logical operation, to derive 152 -bit value by combining 

25 ^ and TRAND. 

The 152 -bit COMP parameter meets the requirements 
set on the input parameter of the CAVE algorithm in the 
calculation unit 65. Thus, the parameter adaptation 
according to the invention derives a CAVE compatible 

30 input parameter from the GSM compatible input parameters 
Ki and RAND. As a result of the calculation, the CAVE 
calculation unit 65 outputs a 18 -bit output parameter. 

The 18 -bit output parameter from the CAVE is then 
inputted to the padding unit 64 in which 14 stuff bits 

35 will be inserted so as to obtain a 32-bit value. The 14 
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stuff bits may establish, for example, the 14 least 
significant bits of the 32-bit parameter, the 18 most 
significant bits containing the 18 -bit output from CAVE 
65. It is appreciated, however, that the padding 
5 operation as used herein is intended to cover any 
method, e.g. logical operation, to lengthen the 18 -bit 
CAVE output parameter by 14 bits to obtain 32 bits. 

The resulting 32 -bit output parameter will be 
then used as the signed response SRES according to the 
10 GSM specifications. Thus, the parameter adaptation 
according to the invention derives a GSM compatible 
output parameter from a CAVE compatible output 
parameter . 

The three GSM compatible security parameters 

15 SRES, K c and RAND will be inputted to a triplet building 
unit 66 in which a standard GSM triplet is built. The 
triplet will be transferred to HLR or VLR via the 
signalling interface 67. Thus, the SRES will be 
transferred and processed in the GSM network in a 

20 similar manner as the standard SRES. 

Referring now to Fig. 7, the mobile station MS 
according to the invention stores a copy of the_ 
ciphering key Kj, of the mobile subscriber in a memory 75. 
The MS also comrises a calculation unit 76 carrying out 

25 the ciphering algorithm A8 , and a calculation unit 77 
carrying out the CAVE algorithm for authentication. On 
receiving the AUTHENTICATION REQUEST message from the 
MSC/VLR, the of the MS, which contains the hardware and 
software specific to the radio interface, the mobile 

30 equipment 78, extracts the RAND form the message, and 
then inputs the RAND and the stored K i to the A8 
calculation unit 76 for calculation of the ciphering key 
K c . In the preferred embodiment of the invention all the 
functional blocks except 78 are located in the 

35 Subscriber Identity Module or SIM of the MS. 
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The 128 -bit RAND is also an input to a truncation 
unit 72 which truncates the RAND into 24 -bit TRAND . The 
truncation unit 72 is identical to the truncation unit 
62 shown in Fig. 6. 
5 The 24 -bit TRAND is then inputted to a combining 

unit 73, together with the 128 -bit K L . The output of the 
combining unit 73 is a 152 -bit COMP . The combining unit 
73 is identical to the combining unit 63 shown in Fig. 
6 . 

10 The 152 -bit COMP is then inputted to the CAVE 

calculation unit 77 which outputs a 18-bit output 
parameter . 

The 18 -bit output parameter from the CAVE 77 is 
inputted to a padding unit 74 in which 14 stuff bits are 
15 attached so as to provide a 32 -bit value. The padding 
unit 74 is identical to the padding unit 64 shown in 
Fig. 6. 

The resulting 32-bit output parameter will be 
then used as the SRES parameter according to the GSM 

20 specifications. The SRES will returned to the mobile 
equipment 78 and sent further to the MSC/VLR in the 
AUTHENTICATION RESULT message and processed in the 
MSC/VLR as in the standard GSM system. 

An example of alternative embodiments for 

25 deriving the 152 -bit CAVE input parameter from the N-bit 
K t and RAND parameters is shown in Fig. 8. In the 
following examples N=128 but it may be any positive 
integer in these embodiments. K t will be divided into two 
parts: 104 bits of the K i; e.g. 104 LSB bits, are 

30 inputted to an input of a logical unit 81. The remaining 
24 bits of K A are inputted to a combiner 82. Similarly, 
RAND will be divided into two parts: 104 bits of the 
RAND, e.g. 104 MSB bits, are inputted to the logical 
unit 81. The remaining 24 bits of RAND are inputted to 

35 another input of the combiner 82. A logical operation, 
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such AND, OR or exclusive OR (XOR) , is performed between 
the two 104 -bit inputs, and a single 104 -bit output is 
provided. The 104 -bit output from the logical unit 81 is 
inputted to the combiner 82. The combiner 82 assembles 
5 the two 24 -bit inputs and the 104 -bit input into a 152- 
bit parameter to be inputted to the CAVE algorithm. When 
applied in the authenticatication center of Fig. 6 and 
in the mobile station of Fig. 7, the logical unit 81 and 
the combiner 82 will substitute for the truncation unit 

10 62,72 and the combiner 63,73, respectively. 

As a further modification to the embodiment of 
the Fig. 8, the 104 bits of K A and the 104 bits of RAND 
may be subdivided into equal number of subblocks, and 
different logical operations are performed between 

15 different subblocks. There may be four subsblocks of 26 
bits, for example. 

The drawing and the associated description is 
solely intended to ilustrate the present invention. 
Changes and modifications will apparent to a skilled 

2 0 person in the art without departing from the scope and 
spirit of the attached claims. 



WO 97/15161 



PCT/FI96/00543 



17 

Claims 

1. An authentication center for a mobile 
5 communications network, comprising 

a database storing an authentication key for each 
subscriber of said mobile communications network, said 
authentication key being an input parameter for 
calculation of a ciphering key and an authentication 
10 response parameter and in a format required by a first 
authentication procedure, 

a source of a random number, said random number 
being another input parameter for calculation of a 
ciphering key and an authentication response parameter 
15 and in a format required by said first authentication 
procedure, 

an encryption key calculation unit having said 
authentication key from the database and a random number 
from said source of random numbers as input parameters 

2 0 and outputting a ciphering key in a format according 

to said first authentication procedure, 

an authentication response parameter calculation 
unit requiring a single input parameter and outputting 
an authetication response parameter in a format other 
25 than the format of the authentication response parameter 
according to said first authentication procedure, 

a first adaptation unit responsive to said 
authentication key and said random number as input 
parameters for providing said single input parameter to 

3 0 said authentication response calculation unit, 

a second adaptation unit responsive to said 
authentication response parameter outputted by said 
authentication response parameter calculation unit for 
providing said authentication response parameter 
35 according to the first authentication procedure. 
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2 . An authentication parameter processing unit in 
a mobile station, comprising 

a memory storing an authentication key for a 
mobile subscriber using said mobile station, said 
5 authentication key being an input parameter for 
calculation of a ciphering key and an authentication 
response parameter and in a format required by a first 
authentication procedure, 

a source of a random number, said random number 
10 being another input parameter for calculation of a 
ciphering key and an authentication response parameter 
and in a format required by said first authentication 
procedure , 

an encryption key calculation unit having said 
15 authentication key from the database and a random number 
from said source of random numbers as input parameters 
and outputting a ciphering key in a format according 
to said first authentication procedure, 

an authentication response parameter calculation 
20 unit requiring a single input parameter and outputting 
an authetication response parameter in a format other 
than the format of the authentication response parameter 
according to said first authentication procedure, 

a first adaptation unit responsive to said 
25 authentication key and said random number as input 
parameters for providing said single input parameter to 
said authentication response calculation unit, 

a second adaptation unit responsive to said 
authentication response parameter outputted by said 
3 0 authentication response parameter calculation unit for 
providing said authentication response parameter 
according to the first authentication procedure. 

3 . An authentication method for a mobile 
communications network, comprising steps of 

35 utilizing an authentication procedure intended to 
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be used with a first authentication response calculation 
method, 

utilizing a second authentication response 
calculation method instead of said first authentication 
5 response calculation method, 

providing an authentication key compatible with 
said first authentication response calculation method 
but incompatible with said second authentication 
response calculation method, for each subscriber of said 
10 mobile communications network, 

generating a random number compatible with said 
first authentication response calculation method but 
incompatible with said second authentication response 
calculation method, 
15 deriving an input parameter compatible with said 

second authentication response calculation method from 
said authetication key and said random number, 

calculating by said second autentication response 
calculation method an authentication response 
20 incompatible with a authentication response format of 
said authentication prosedure utilized in said mobile 
communications network, 

modifying said authentication response into a 
format compatible with said authentication response 
25 format of said authentication procedure, 

transferring and storing said authentication 
response in said mobile communications network in said 
format compatible with said authentication procedure. 

4. An authentication method for a GSM based 
3 0 mobile communications network, comprising steps of 

utilizing a GSM based authentication procedure 
intended to be used with a GSM based authentication 
response calculation method, said GSM based 
authentication response calculation method comprising 
35 128 -bit random number RAND and N-bit authentication key 
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Ki as input parameters and a 3 2 -bit signed response SRES 
as an output parameter, N being a positive integer, 

utilizing a CAVE calculation method as an 
authentication response calculation method instead of 
5 said GSM based authentication response calculation 
method, said CAVE method comprising a 152 -bit input 
parameter and a 18 -bit output parameter, 

providing unique value of said N-bit Ki for each 
subscriber of said mobile communications network, 
10 storing said values of K L in a database in an 

authentication center, 

receiving a request to provide said SRES for one 
of said mobile subscribers, 

retrieving said N-bit K L of said one of said 
15 mobile subscribers from said database, 

generating said 128 -bit RAND, 

deriving said 152 -bit input parameter from said 
N-bit Ki and 128-bit RAND, 

calculating by said CAVE calculation method said 
20 18-bit output parameter, 

padding 14 additional bits into said 18 -bit 
output parameter to obtain said 32-bit SRES, 

transferring and storing said 32-bit SRES in said 
GSM based mobile communications network according to 
25 said GSM based authentication procedure. 

5. A method according as claimed in claim 4, 
wherein said step of deriving comprises steps of 

truncating said 128-bit RAND into (152-N)-bit 
truncated RAND, N being an integer less than or equal to 
30 128, 

combining said ( 152 -N) -bit truncated RAND with 
said N-bit K L to obtain said 152-bit input parameter. 

6. An authentication method for a GSM based 
mobile communications network, comprising steps of 
35 utilizing a GSM based authentication procedure 
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intended to be used with a GSM based authentication 
response calculation method, said GSM based 
authentication response calculation method comprising 
12 8 -bit random number RAND and N-bit authentication key 
5 Ki as input parameters and a 3 2 -bit signed response SRES 
as an output parameter, N being a positive integer, 

utilizing a CAVE calculation method as an 
authentication response calculation method instead of 
said GSM based authentication response calculation 
10 method, said CAVE method comprising a 152-bit input 
parameter and a 18 -bit output parameter, 

storing an unique value of said N-bit K ± provided 
for a mobile subscriber in a memory of a mobile station, 

receiving from a base station by said mobile 
15 station an authentication request including said 128 -bit 
RAND, 

retrieving said N-bit K L from said memory, 

deriving said 152 -bit input parameter from said 
N-bit ^ and 128-bit" RAND, 
20 calculating by said CAVE calculation method said 

18 -bit output parameter, 

padding 14 additional bits into said 18 -bit 
output parameter to obtain said 3 2 -bit SRES, 

transmitting said 32 -bit SRES to said base 

25 station. 

7. A method according as claimed in claim 6, 
wherein said step of deriving comprises steps of 

truncating said 128-bit RAND into (152-N)-bit 
truncated RAND, N being an integer less than or equal to 
30 128, 

combining said (152-N) -bit truncated RAND with 
said N-bit K ± to obtain said 152 -bit input parameter. 

8. An authentication parameter calculation unit 
for a mobile communication system, comprising 

35 a CAVE algorithm calculator having a first input 
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for receiving a 152 -bit input parameter, and an output 
for outputting a 18 -bit output parameter, 

a first adaptor having a first input for 
receiving 128 -bit random number RAND, a second input fo 
5 receiving a N-bit authentication key K i# and an output 
for outputting said 152 -bit input parameter derived from 
said N-bit K A and 128 -bit RAND to said input of said CAVE 
algorithm calculator, N being a positive integer, 

a second adaptor having an input for receiving 
10 said 18 -bit output parameter CAVE algorithm calculator, 
and an output for outputting a 3 2 -bit signed response 
SRES, wherein K i( RAND and SRES are GSM-based 
authentication parameters. 
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